Sandworm Team

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]

ID: G0034
Associated Groups: ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, VOODOO BEAR
Version: 2.0
Created: 31 May 2017
Last Modified: 13 April 2021

Associated Group Descriptions

Name Description
ELECTRUM

[8][2]

Telebots

[6][1][2]

IRON VIKING

[9][1][2]

BlackEnergy (Group)

[6][2]

Quedagh

[3] [10][2]

VOODOO BEAR

[4][1][2]

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD.[11]

.003 Account Discovery: Email Account

Sandworm Team used malware to enumerate email settings, including usernames and passwords, from the M.E.Doc application.[12]

Enterprise T1583 .001 Acquire Infrastructure: Domains

Sandworm Team has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages.[1]

.004 Acquire Infrastructure: Server

Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.[1]

Enterprise T1595 .002 Active Scanning: Vulnerability Scanning

Sandworm Team has scanned network infrastructure for vulnerabilities as part of its operational planning.[1]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Sandworm Team's BCS-server tool connects to the designated C2 server via HTTP.[11]

Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

Sandworm Team has created VBScripts to run an SSH server.[13][11][14]

.001 Command and Scripting Interpreter: PowerShell

Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.[1]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Sandworm Team's CredRaptor tool can collect saved passwords from various internet browsers.[11]

Enterprise T1485 Data Destruction

Sandworm Team has used the BlackEnergy KillDisk component to overwrite files on Windows-based Human-Machine Interfaces. [15][14]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Sandworm Team's BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.[11]

Enterprise T1005 Data from Local System

Sandworm Team has exfiltrated internal documents, files, and other data from compromised hosts.[1]

Enterprise T1491 .002 Defacement: External Defacement

Sandworm Team defaced approximately 15,000 websites belonging to Georgian government, non-government, and private sector organizations in 2019.[1][2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.[11][12]

Enterprise T1587 .001 Develop Capabilities: Malware

Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer.[1]

Enterprise T1561 .002 Disk Wipe: Disk Structure Wipe

Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system's master boot record.[15][14]

Enterprise T1499 Endpoint Denial of Service

Sandworm Team temporarily disrupted service to Georgian government, non-government, and private sector websites after compromising a Georgian web hosting provider in 2019.[1]

Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Sandworm Team has established social media accounts to disseminate victim internal-only documents and other sensitive data.[1]

.002 Establish Accounts: Email Accounts

Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Sandworm Team has sent system information to its C2 server using HTTP.[11]

Enterprise T1203 Exploitation for Client Execution

Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906).[16][17][18]

Enterprise T1133 External Remote Services

Sandworm Team has used Dropbear SSH with a hardcoded backdoor password to maintain persistence within the target network. Sandworm Team has also used VPN tunnels established in legitimate software company infrastructure to gain access to internal networks of that software company's users.[13][14][19]

Enterprise T1083 File and Directory Discovery

Sandworm Team has enumerated files on a compromised host.[1]

Enterprise T1592 .002 Gather Victim Host Information: Software

Sandworm Team has researched software code to enable supply-chain operations, most notably for the 2017 NotPetya attack. Sandworm Team also collected a list of computers using specific software as part of its targeting efforts.[1]

Enterprise T1589 .003 Gather Victim Identity Information: Employee Names

Sandworm Team's research of potential victim organizations included the identification and collection of employee information.[1]

.002 Gather Victim Identity Information: Email Addresses

Sandworm Team has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns.[1]

Enterprise T1590 .001 Gather Victim Network Information: Domain Properties

Sandworm Team conducted technical reconnaissance of the Parliament of Georgia's official internet domain prior to its 2019 attack.[1]

Enterprise T1591 .002 Gather Victim Org Information: Business Relationships

In preparation for its attack against the 2018 Winter Olympics, Sandworm Team conducted online research of partner organizations listed on an official PyeongChang Olympics partnership site.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Sandworm Team has used backdoors that can delete files used in an attack from an infected system.[11][12]

Enterprise T1105 Ingress Tool Transfer

Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.[11][1]

Enterprise T1056 .001 Input Capture: Keylogging

Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.[11]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Sandworm Team has avoided detection by naming a malicious binary explorer.exe.[11][1]

Enterprise T1040 Network Sniffing

Sandworm Team has used intercepter-NG to sniff passwords in network traffic.[11]

Enterprise T1571 Non-Standard Port

Sandworm Team has used port 6789 to accept connections on the group's SSH server.[13]

Enterprise T1027 Obfuscated Files or Information

Sandworm Team has used Base64 encoding within malware variants. Sandworm Team has also used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.[16][11]

Enterprise T1588 .002 Obtain Capabilities: Tool

Sandworm Team has acquired open-source tools for some of it's operations; for example it acquired Invoke-PSImage to establish an encrypted channel from a compromised host to Sandworm Team's C2 server as part of its preparation for the 2018 Winter Olympics attack.[1]

.006 Obtain Capabilities: Vulnerabilities

In 2017, Sandworm Team conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Sandworm Team's plainpwd tool is a modified version of Mimikatz and dumps Windows credentials from system memory.[11][14]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Sandworm Team has delivered malicious Microsoft Office attachments via spearphishing emails.[16][15][11][1]

.002 Phishing: Spearphishing Link

Sandworm Team has crafted phishing emails containing malicious hyperlinks.[1]

Enterprise T1598 .003 Phishing for Information: Spearphishing Link

Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.[1]

Enterprise T1090 Proxy

Sandworm Team's BCS-server tool can create an internal proxy server to redirect traffic from the adversary-controlled C2 to internal servers which may not be connected to the internet, but are interconnected locally.[11]

Enterprise T1219 Remote Access Software

Sandworm Team has used remote administration tools or remote industrial control system client software to maliciously release electricity breakers.[15]

Enterprise T1018 Remote System Discovery

Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD.[11]

Enterprise T1593 Search Open Websites/Domains

Sandworm Team researched Ukraine's unique legal entity identifier (called an "EDRPOU" number), including running queries on the EDRPOU website, in preparation for the NotPetya attack. Sandworm Team has also researched third-party websites to help it craft credible spearphishing emails.[1]

Enterprise T1594 Search Victim-Owned Websites

Sandworm Team has conducted research against potential victim websites as part of its operational planning.[1]

Enterprise T1505 .003 Server Software Component: Web Shell

Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks.[19]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.[12]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.[20][14][1]

Enterprise T1082 System Information Discovery

Sandworm Team used a backdoor to enumerate information about the infected system's operating system.[12][1]

Enterprise T1016 System Network Configuration Discovery

Sandworm Team used malware to enumerate proxy settings from the M.E.Doc application.[12]

Enterprise T1049 System Network Connections Discovery

Sandworm Team had gathered user, IP address, and server data related to RDP sessions on a compromised host. It has also accessed network diagram files useful for understanding how a host's network was configured.[1]

Enterprise T1033 System Owner/User Discovery

Sandworm Team has collected the username from a compromised host.[1]

Enterprise T1199 Trusted Relationship

Sandworm Team has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization.[1]

Enterprise T1204 .002 User Execution: Malicious File

Sandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.[11][1]

.001 User Execution: Malicious Link

Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.[1]

Enterprise T1078 Valid Accounts

Sandworm Team have used previously acquired legitimate credentials prior to attacks.[15]

.002 Domain Accounts

Sandworm Team has used stolen credentials to access administrative accounts within the domain.[1]

Enterprise T1102 .002 Web Service: Bidirectional Communication

Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.[11][14]

Software

ID Name References Techniques
S0089 BlackEnergy [3][10][1][2] Abuse Elevation Control Mechanism: Bypass User Account Control, Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Shortcut Modification, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Data Destruction, Fallback Channels, File and Directory Discovery, Hijack Execution Flow: Services File Permissions Weakness, Indicator Removal on Host: Clear Windows Event Logs, Indicator Removal on Host, Input Capture: Keylogging, Network Service Scanning, Peripheral Device Discovery, Process Discovery, Process Injection: Dynamic-link Library Injection, Remote Services: SMB/Windows Admin Shares, Screen Capture, Subvert Trust Controls: Code Signing Policy Modification, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Unsecured Credentials: Credentials In Files, Windows Management Instrumentation
S0555 CHEMISTGAMES [21] Command-Line Interface, Data from Local System, Deliver Malicious App via Authorized App Store, Download New Code at Runtime, Location Tracking, Masquerade as Legitimate Application, Native Code, Obfuscated Files or Information, Standard Application Layer Protocol, Standard Cryptographic Protocol, Supply Chain Compromise, System Information Discovery
S0401 Exaramel for Linux [22][19] Abuse Elevation Control Mechanism: Setuid and Setgid, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Unix Shell, Create or Modify System Process: Systemd Service, Create or Modify System Process, Deobfuscate/Decode Files or Information, Fallback Channels, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Scheduled Task/Job: Cron, System Owner/User Discovery
S0343 Exaramel for Windows [22] Archive Collected Data, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Staged: Local Data Staging, Masquerading: Masquerade Task or Service, Modify Registry
S0231 Invoke-PSImage [1] Obfuscated Files or Information
S0368 NotPetya [6][1][2] Data Encrypted for Impact, Exploitation of Remote Services, File and Directory Discovery, Indicator Removal on Host: Clear Windows Event Logs, Masquerading, OS Credential Dumping: LSASS Memory, Remote Services: SMB/Windows Admin Shares, Scheduled Task/Job: Scheduled Task, Signed Binary Proxy Execution: Rundll32, Software Discovery: Security Software Discovery, System Services: Service Execution, System Shutdown/Reboot, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0365 Olympic Destroyer [23][9][1][2] Credentials from Password Stores: Credentials from Web Browsers, Data Destruction, Indicator Removal on Host: Clear Windows Event Logs, Inhibit System Recovery, Lateral Tool Transfer, Network Share Discovery, OS Credential Dumping: LSASS Memory, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, Service Stop, System Network Configuration Discovery, System Services: Service Execution, System Shutdown/Reboot, Windows Management Instrumentation
S0598 P.A.S. Webshell [19] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Brute Force: Password Guessing, Command and Scripting Interpreter, Data from Information Repositories, Data from Local System, Deobfuscate/Decode Files or Information, File and Directory Discovery, File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Network Service Scanning, Obfuscated Files or Information, Server Software Component: Web Shell, Software Discovery

References